FCA Fines UK Regulated Bank £1.5m for Poor Anti-Money Laundering Checks

The FCA has fined a UK regulated bank over £1.5 million for significant weakness in its financial crime systems and controls. As detailed in its Decision Notice, between 9 June 2014 and 5 July 2017, the bank failed to conduct sufficient checks on its customers based in countries with a higher risk of money laundering and terrorist financing and to undertake the correct checks when some of the customers were classed as Politically Exposed Persons (“PEPs”).

Failings

The regulator found serious shortcomings in the following areas of the bank’s anti-money laundering (“AML”) policies and procedures which breached provisions of the Money Laundering Regulations 2007 (“MLRs 2007”):

• Customer due diligence (“CDD”) to verify the identity of its customers – including those who have a beneficial interest in the customers, to establish and adequately scrutinise the source of their wealth and funds;
• Enhanced due diligence (“EDD”) of customers that pose a higher risk of money laundering or terrorist financing – such as those who were domiciled in high-risk jurisdictions or were PEPs; 
• Ongoing monitoring of its customers throughout their relationship with the bank – particularly in respect to ensuring that CDD and EDD information were kept up-to-date and reflected the current level of financial crime risk presented by each customer; and
• Internal controls that should have allowed the bank to rectify the above-mentioned shortcomings in an orderly and timely manner – in particular, the compliance function was under-resourced.

The bank’s inadequate policies and procedures contributed to failings in respect to not only establishing a customer’s source of wealth and funds but also the identification of PEPs and ongoing monitoring of a customer relationship.

Failure to establish source of wealth and funds

Most of the bank’s AML policies and procedures were high level in nature and did not provide sufficient guidance on the measures that needed to be adopted to properly assess, manage and mitigate the money laundering risk posed by its customers. Until May 2016, its policies did not contain adequate practical guidance in terms of how a customer’s sources of wealth and funds would need to be established. They also lacked definitions for source of wealth and funds and failed to provide examples of the documents needed to validate these requirements.

The root causes of the issues specified above included the bank’s approach to onboarding, ongoing monitoring and reliance on publicly available information.

The 2016 Internal Audit found that the the bank did not sufficiently validate the sources of wealth and funds for high-risk customers (even though this had been highlighted in its earlier 2013 Internal Audit). There was inadequate documentary evidence provided by high-risk customers regarding the activity that generated their funds and where their funds were being transferred from, as well as a lack of evidence of its contact with customers to establish their sources of wealth and funds for high net-worth and high-risk customers.

In one example that raised concerns, the bank opened an account for a company based in Kuwait (“Company A”) for the purposes of pooling the funds of Company A’s customers for a prospective real estate investment. The bank relied on Company A to carry out customer due diligence of the investors, many of whom were high risk, high net worth customers. The bank:

• Took inadequate measures to confirm the quality of Company A’s AML checks
• Did not require Company A to collect information about customers’ source of wealth and funds which was required under its AML policies

As a result, it accepted US $62 million into an account associated with Company A and its clients without properly vetting the funds for money laundering risk.

The bank failed to understand the extent of its obligations to undertake due diligence in respect of the ultimate shareholders of its customers.

The bank entered business relationships and transacted with customers without undertaking adequate EDD on them or the ultimate shareholders from whom the customers' wealth was derived – some of whom were PEPs. As a result, it failed to fully identify and mitigate potential money laundering risks presented by its highest risk customers.

Despite having a specific policy on PEPs, on several occasions the bank failed to identify PEPs who were underlying shareholders of its customers. One example of this is when it identified only one PEP in a US based special purpose vehicle (“Customer D”)’s file but failed to identify that there were six further PEPs among the underlying shareholders at this time.

Ongoing monitoring

The 2016 Internal Audit found that the bank had not performed periodic or event driven reviews since 2011 – despite the majority of customers attracting high risk. Further identified weaknesses in its controls included that its systems did not hold all due diligence information about a customer which prevented effective ongoing monitoring at periodic reviews or “trigger” events and that it did not have automated “trigger” systems in place for event driven reviews. The absence of ongoing monitoring stemmed from resourcing issues, a lack of effective AML training for customer facing staff and the initial due diligence undertaken at the onboarding stage not meeting the required standards. Until 5 July 2017, its policies did not set out details regarding the frequency of ongoing monitoring.

The lack of appropriate due diligence and ongoing monitoring meant the bank failed to properly assess the money laundering risk posed by Customer D for almost five years.

In January 2012, the bank agreed to act as a fund adviser and sponsor to Customer D which had been set up to facilitate various real estate investments but it did not undertake a risk review until almost two years later and took limited and incomplete steps to verify the identity of the investors until the customer file was reviewed in connection with the Compliance Review in August 2016. This was despite the fact that the bank had been in possession of information since October 2012 which showed that one of the beneficial owners of Customer D was a PEP.

There were serious deficiencies in the internal control and oversight model The the bank had implemented for managing AML risks

The compliance function at the bank felt that they “ran into difficulties” with the rest of the business when they tried to perform their role and did not feel they got “adequate support” from its Audit, Risk and Compliance Committee (“ARCC”) or senior management to encourage the rest of the bank to support compliance in its efforts. The bank operated a “flawed” three lines of defence model in that its compliance function assumed responsibilities which would ordinarily sit with the first line of defence. This was demonstrated by the fact that, in addition to its normal compliance-related responsibilities, its compliance function was responsible for carrying out due diligence when onboarding new customers and leading the customer file remediation as part of the compliance review to rectify the deficiencies in previously obtained due diligence.

The bank had not implemented an effective AML and CDD training programme

An effective AML training programme for first line staff was not implemented and delivered until April 2017. The lack of a clear division of responsibility for due diligence between the first and second line of defence meant that the Compliance function as the second line of defence did not act as an effective means of monitoring and mitigating money laundering risks. At least until early 2016, the Compliance function was insufficiently resourced which resulted in it not being able to undertake its compliance monitoring effectively. The bank was aware of the issues with its three lines of defence model as early as June 2014. However, despite the issues being flagged to the ARCC on a number of occasions, limited steps were taken to address the ineffectiveness of its risk management framework.

Many of the bank’s customers posed higher money laundering risks because they were from high-risk jurisdictions or were special purpose vehicles held in overseas jurisdictions who had complex ownership structures.

For such customers, establishing their shareholder structure is crucial to obtaining a comprehensive understanding of the identity of the ultimate beneficial owner of a customer – in addition to the nature and degree of control that the owner may have over the customer. The bank failed to understand the extent of its obligations to undertake due diligence in respect to the ultimate shareholders of its customers while inadequate ongoing monitoring meant that it could not adequately reassess the customer relationship as it developed over time. Its ‘three lines of defence’ model was ineffective – meaning that front line relationship managers did not appropriately screen customers while an overburdened Compliance function was left to remedy deficiencies in the quality of due diligence information collected. The FCA considered these failings to be particularly serious because it was aware from as early as June 2013 that there were deficiencies in its AML controls but no steps were taken until mid-2014 to commence remediation of these deficiencies and they occurred despite industry wide messaging – through both published guidance and a number of Final Notices – reiterating the importance of compliance with AML requirements.

By 5 July 2017, the majority of the bank’s key AML policies and procedures which implemented the required AML controls took effect

By July 2017, the bank implemented new AML-related policies and procedures and took steps to embed an effective three lines of defence model – whereby the ‘first line’ relationship managers who interacted with customers took on more responsibility for ensuring that it carried out appropriate due diligence. This included:

• The delivery of training to the first line of defence in relation to, among other things, the new CDD procedures that the first line was required to follow. 
• Putting measures in place to address misunderstandings between the bank and Company A in relation to the bank’s due diligence requirements.
• Introducing service level agreements with third parties who assisted with due diligence. 
• Regular reviews of systems and controls were also undertaken, including formal audits. 

Our guidance

In order to manage financial crime risks, senior management should “lead from the top” in this regard by ensuring that AML controls are embedded at all levels across the firm and that the importance of complying with AML requirements is impressed on all members of staff. Firms should have robust governance, effective risk procedures and adequate internal control mechanisms; they should assess the risks that their business may be used for the purposes of financial crime and then mitigate those risks effectively through identifying their customers, understanding their relationship with them, and undertaking ongoing monitoring.

Senior management should ensure that the firm has:

• A thorough understanding of its financial crime risks in order to apply proportionate systems and controls
• An organisational structure that promotes coordination and information sharing across the business
• Sufficiently detailed and up-to-date policies and procedures that can be easily accessed and understood by all staff
• Staff – who are provided with regular training – and therefore have the skills and expertise to do their jobs effectively

Firms are advised to take heed and review their own arrangements in light of the above as the FCA will continue to hold firms accountable for weaknesses in their financial crime systems and controls.
 

How we help

AML Due Diligence Support – KYC/CIP Onboarding and AML Screening: Our AML Due Diligence managed services offerings are designed to assist your firm with implementing effective AML practices that meet industry best practices and comply with applicable local laws and regulations. Our AML team has extensive experience with a variety of firm profiles and strategies. We provide strategic support for key layers of your AML onboarding or deal-related reviews and screening – comprehensive support for firms who want us to take on the entire process. 

Regulatory Technology: Optimal efficiency and best practices are achieved when pairing these services with our AML Screening module in ACA ComplianceAlpha^®. The AML Screening module conducts sanctions screening and provides timely, automated, ongoing monitoring of 1,500 critical lists. This is a full-service, single vendor offering that is provided and supported by our team of compliance professionals, which includes Certified Anti-Money Laundering Specialists (CAMS), and other industry leading financial crimes certificates.

Training: we offer a wide range of tailored and open training courses – including one on Financial Crime Prevention which is specifically designed to assist Senior Management at FCA-registered firms in meeting their statutory and regulatory obligations in order to help firms achieve compliance. Our tailored training is ideal for those with larger groups, specific topics to be briefed on, or complex scheduling and timing for busy teams in different jurisdictions.